[openssh-commits] [openssh] branch V_10_3 created (now 2d98db983)

git+noreply at mindrot.org git+noreply at mindrot.org
Thu Apr 2 20:26:15 AEDT 2026 

This is an automated email from the git hooks/post-receive script.

djm pushed a change to branch V_10_3
in repository openssh.

      at 2d98db983 autogenerated files for release

This branch includes the following new commits:

     new 5d72f1865 properly bail out when PAM changes username
     new 78d549857 upstream: Fix possible sshd crash when sshd_config set MaxStartups
     new c805b97b6 upstream: add missing askpass check when using
     new 487e8ac14 upstream: when downloading files as root in legacy (-O) mode and
     new fd1c7e131 upstream: correctly match ECDSA signature algorithms against
     new 76685c9b0 upstream: move username validity check for usernames specified on
     new eb3a5bb2a upstream: openssh-10.3
     new 5aa09926f upstream: adapt to username validity check change
     new f8b9d694f Update versions in RPM spec files
     new 4168c9059 depend
     new 500b2036a update release notes URL
     new 2d98db983 autogenerated files for release

The 12 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Detailed log of new commits:

commit 500b2036a0572f587898805078d7df788de50d67
Author: Damien Miller <djm at mindrot.org>
Date:   Thu Apr 2 19:08:44 2026 +1100

    update release notes URL

commit 2d98db98331803cbb820211b2fb0d31a6e71e58e
Author: Damien Miller <djm at mindrot.org>
Date:   Thu Apr 2 19:07:03 2026 +1100

    autogenerated files for release

commit 4168c905943f7f715182180b9f7c8cda54af2514
Author: Damien Miller <djm at mindrot.org>
Date:   Thu Apr 2 18:56:48 2026 +1100

    depend

commit f8b9d694fc20349b6c48a4af03a0499dea00f5f9
Author: Damien Miller <djm at mindrot.org>
Date:   Thu Apr 2 18:55:50 2026 +1100

    Update versions in RPM spec files

commit 5aa09926fbf050d484a79717fadec8360c5c5645
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Thu Apr 2 07:52:15 2026 +0000

    upstream: adapt to username validity check change
    
    OpenBSD-Regress-ID: d22c66ca60f0d934a75e6ca752c4c11b9f4a5324

commit eb3a5bb2abd4798ff546564eb2210d188efaf0f1
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Thu Apr 2 07:51:12 2026 +0000

    upstream: openssh-10.3
    
    OpenBSD-Commit-ID: 05e22de74e090e5a174998fa5799317d70ad19c4

commit fd1c7e131f331942d20f42f31e79912d570081fa
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Thu Apr 2 07:48:13 2026 +0000

    upstream: correctly match ECDSA signature algorithms against
    
    algorithm allowlists: HostKeyAlgorithms, PubkeyAcceptedAlgorithms and
    HostbasedAcceptedAlgorithms.
    
    Previously, if any ECDSA type (say "ecdsa-sha2-nistp521") was
    present in one of these lists, then all ECDSA algorithms would
    be permitted.
    
    Reported by Christos Papakonstantinou of Cantina and Spearbit.
    
    OpenBSD-Commit-ID: c790e2687c35989ae34a00e709be935c55b16a86

commit 76685c9b09a66435cd2ad8373246adf1c53976d3
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Thu Apr 2 07:50:55 2026 +0000

    upstream: move username validity check for usernames specified on
    
    the commandline to earlier in main(), specifically before some contexts where
    a username with shell characters might be expanded by a %u directive in
    ssh_config.
    MIME-Version: 1.0
    Content-Type: text/plain; charset=UTF-8
    Content-Transfer-Encoding: 8bit
    
    We continue to recommend against using untrusted input on
    the SSH commandline. Mitigations like this are not 100%
    guarantees of safety because we can't control every
    combination of user shell and configuration where they are
    used.
    
    Reported by Florian Kohnhäuser
    
    OpenBSD-Commit-ID: 25ef72223f5ccf1c38d307ae77c23c03f59acc55

commit c805b97b67c774e0bf922ffb29dfbcda9d7b5add
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Thu Apr 2 07:39:57 2026 +0000

    upstream: add missing askpass check when using
    
    ControlMaster=ask/autoask and "ssh -O proxy ..."; reported by Michalis
    Vasileiadis
    
    OpenBSD-Commit-ID: 8dd7b9b96534e9a8726916b96d36bed466d3836a

commit 487e8ac146f7d6616f65c125d5edb210519b833a
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Thu Apr 2 07:42:16 2026 +0000

    upstream: when downloading files as root in legacy (-O) mode and
    
    without the -p (preserve modes) flag set, clear setuid/setgid bits from
    downloaded files as one might expect.
    
    AFAIK this bug dates back to the original Berkeley rcp program.
    
    Reported by Christos Papakonstantinou of Cantina and Spearbit.
    
    OpenBSD-Commit-ID: 49e902fca8dd933a92a9b547ab31f63e86729fa1

commit 78d549857e0cc480c3cbb0a3571078920e3b79c5
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Thu Apr 2 07:38:14 2026 +0000

    upstream: Fix possible sshd crash when sshd_config set MaxStartups
    
    to a value <10 using the single-argument form of MaxStartups (e.g.
    MaxStartups=3). This doesn't affect the three-argument form of the directive
    (e.g. MaxStartups 3:20:5).
    
    Patch from Peter Kaestle via bz3941
    
    OpenBSD-Commit-ID: 1ad093cae69f55ebfdea1ab24318aefd593d63b8

commit 5d72f1865b95ebfd99ea7baa8f6f2a4b721d151e
Author: Damien Miller <djm at mindrot.org>
Date:   Thu Apr 2 18:32:00 2026 +1100

    properly bail out when PAM changes username
    
    OpenSSH doesn't support PAM changing its conception of the
    username via a module calling pam_set_item(h, PAM_USER, ...).
    We were supposed to bail out here, but I messed up while "fixing"
    this last time and dropped a return statement.
    
    Reported by Mike Damm

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.

More information about the openssh-commits mailing list